You are Home   »   News   »   View Article

Serious vulnerability discovered in Profinet industrial communication protocol

Thursday, March 19, 2020

A serious vulnerability was recently found in the Profinet industrial communication protocol exposes devices from Siemens, Moxa and possibly other vendors to denial-of-service (DoS) attacks.

The high-severity vulnerability was discovered last year by researchers at OTORIO, who found that an attacker could easily cause devices to enter a DoS condition - in some cases requiring a hard restart for recovery - by sending legitimate Profinet packets over the network.

According to the researchers, the vulnerability is so easy to exploit that it may be triggered by accident by an employee who misconfigures the network and can result in serious disruptions to operational processes.

The company's researchers have confirmed that the vulnerability impacts products from Siemens and Moxa that use Profinet, but they believe products from other vendors may be affected as well. Tens of thousands of devices may be at risk of attacks, but warned that exploitation of the vulnerability is 'almost impossible to detect.'

Younes Dragoni, security researcher for Nozomi Networks commented:
"As the advisories are saying, this vulnerability is quite severe and it's affecting the well-known protocol: Profinet-IO. Specifically, when multiple legitimate diagnostic requests (discovery packets) are sent to the DCE-RPC interface.

"This protocol is mainly used to define the entire communication exchange (variables) between IO-Controllers (control devices: PLCs, DCS, etc.) and the IO-Devices (field devices: sensors, actuators, etc.) as well as for diagnostic purpose and parameter tuning.

"As we can understand, this protocol is quite crucial for keeping the entire process working as expected and in a safe condition; therefore, an unexpected change of some variables' values could lead to an instant shutdown (safety system triggered) or even worst scenarios.

"Considering that we have more vendors than Moxa and Siemens relying on this standard protocol, we can assume that the potential range of affected devices could be even more.

"Apart from patching the affected devices as soon as possible if it's possible, the main suggestion coming from Siemens is to disable the Profinet protocol entirely, but let's remember that this is also another scenario that cannot be accomplished all the time. In this latter scenario, organisations need to increase monitoring on their network in order to prevent potential attacks or operator's mistakes."

Associated Companies
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Clustering Considerations in the Machine Learning Workflow – Examples with Exploration Data
Philip Lesslar
from Precision DM


Latest Edition Apr-May 2020
Apr 2020

Download latest and back issues


Learn more about supporting Digital Energy Journal